[jira] Updated: (BEEHIVE-1069) Exposed Properties on PageFlowController can be set by hidden fields in a form

Fri, 17 Feb 2006 10:27:48 -0800 

     [ http://issues.apache.org/jira/browse/BEEHIVE-1069?page=all ]

Daryl Olander updated BEEHIVE-1069:
-----------------------------------

    Attachment: servletUpdate.zip

Add  a page flow that demonstrates the error

> Exposed Properties on PageFlowController can be set by  hidden fields in a 
> form
> -------------------------------------------------------------------------------
>
>          Key: BEEHIVE-1069
>          URL: http://issues.apache.org/jira/browse/BEEHIVE-1069
>      Project: Beehive
>         Type: Bug
>   Components: NetUI
>     Versions: 1.0.1
>     Reporter: Daryl Olander
>     Assignee: Carlin Rogers
>     Priority: Blocker
>      Fix For: 1.0.1
>  Attachments: servletUpdate.zip
>
> I have the following form that change the forward path to /bar.jsp
>   <netui:form action="submit">
>     <netui:hidden dataSource="pageFlow.currentPageInfo.forward.path " 
> dataInput="/bar.jsp"/>
>     <netui:button value="submit" />
>   </netui:form>
> I also have the following action in my page flow.
>     @Jpf.Action(
>         forwards={
>            @Jpf.Forward(name="index", navigateTo = Jpf.NavigateTo.currentPage)
>         }
>     )
>     protected Forward submit(Form form)
>     {
>         return new Forward("index");
>     }
> If the current page is index.jsp, this should navigate back to that, when the 
> form is submitted it will navigate to bar.jsp.  In my mind this is actually a 
> security hole.  I can dynamically change the navigation externally in this 
> situation.  I haven't played around with the other exposed properties 
> (currentPageInfo, previousPageInfo, previousActionInfo) all expose the same 
> JavaBean that is not immutable.
> I'm going to open a Jiri bug on this.  I think this is critical and needs to 
> be fixed now.  My suggestion is that we rename these methods on the 
> PageFlowController so they aren't picked up as JavaBean properties.
> I suggest we do this to:
> currentPageInfo
> previousPageInfo
> previousActionInfo
> modeulConfig
> actions
> We need to spin a new release on this.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

Reply via email to